Changeset 0e389d13
- Timestamp:
- 10/26/2014 02:55:55 PM (10 years ago)
- Branches:
- krejzi/svn
- Children:
- 169031f
- Parents:
- cb9c6940
- Files:
-
- 4 edited
- 7 moved
Legend:
- Unmodified
- Added
- Removed
-
introduction/welcome/changelog.xml
rcb9c6940 r0e389d13 52 52 </listitem> 53 53 <listitem> 54 <para>[krejzi] - Converted Cyrus-SASL, Firewalling, Haveged, Iptables, MIT Kerberos V5, OpenSSH and Stunnel instructions to work on systemd setups.</para> 55 </listitem> 56 <listitem> 54 57 <para>[krejzi] - Converted Polkit instructions to use systemd-logind.</para> 55 58 </listitem> -
postlfs/security/cyrus-sasl-systemd.xml
rcb9c6940 r0e389d13 102 102 <xref linkend="linux-pam"/>, 103 103 <xref linkend="mitkrb"/>, 104 <xref linkend="mariadb"/> or <ulink url="http://www.mysql.com/">MySQL</ulink>,104 <xref linkend="mariadb"/>, 105 105 <xref linkend="openjdk"/>, 106 106 <xref linkend="openldap"/>, … … 177 177 178 178 <para> 179 < option>--with-dblib=gdbm</option>: This switch forces179 <parameter>--with-dblib=gdbm</parameter>: This switch forces 180 180 <application>GDBM</application> to be used instead of 181 181 <application>Berkeley DB</application>. … … 268 268 269 269 <sect3 id="cyrus-sasl-init"> 270 <title> Init Script</title>270 <title>Systemd Units</title> 271 271 272 272 <para> 273 If you need to run the <command>saslauthd</command> daemon at system274 startup, install the <filename>/etc/rc.d/init.d/saslauthd</filename>275 init script included in the <xref linkend="bootscripts"/>276 package using the following command:273 To start the <command>saslauthd</command> daemon at boot, 274 install the systemd unit from the <xref linkend="bootscripts"/> 275 package by running the following command as the 276 <systemitem class="username">root</systemitem> user: 277 277 </para> 278 278 … … 285 285 <note> 286 286 <para> 287 You'll need to modify /etc/sysconfig/saslauthd and replace the288 < option><replaceable>AUTHMECH</replaceable></option> parameter289 with your desired authentication mechanism.287 The default authentication method is "shadow". The 288 <filename>/etc/default/saslauthd</filename> 289 file needs to be modified for anything else. 290 290 </para> 291 291 </note> -
postlfs/security/firewalling-systemd.xml
rcb9c6940 r0e389d13 141 141 </caution> 142 142 143 <para>The firewall configuration script installed in the iptables section144 differs from the standard configuration script. It only has two of145 the standard targets: start and status. The other targets are clear146 and lock. For instance if you issue:</para>147 148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>149 150 <para>the firewall will be restarted just as it is upon system startup.151 The status target will present a list of all currently implemented152 rules. The clear target turns off all firewall rules and the lock153 target will block all packets in and out of the computer with the154 exception of the loopback interface.</para>155 156 143 <para>The main startup firewall is located in the file 157 <filename>/etc/ rc.d/rc.iptables</filename>. The sections below provide144 <filename>/etc/systemd/scripts/iptables</filename>. The sections below provide 158 145 three different approaches that can be used for a system.</para> 159 146 … … 178 165 to the Linux 2.6 kernels.</para> 179 166 180 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 167 <screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 168 169 cat > /etc/systemd/scripts/iptables << "EOF" 181 170 <literal>#!/bin/sh 182 171 183 # Begin rc.iptables172 # Begin /etc/systemd/scripts/iptables 184 173 185 174 # Insert connection-tracking modules … … 250 239 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 251 240 252 # End $rc_base/rc.iptables</literal>241 # End /etc/systemd/scripts/iptables</literal> 253 242 EOF 254 chmod 700 /etc/ rc.d/rc.iptables</userinput></screen>243 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 255 244 256 245 <para>This script is quite simple, it drops all traffic coming … … 284 273 a worm via a buffer-overflow).</para> 285 274 286 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 275 <screen role="root"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 276 277 cat > /etc/systemd/scripts/iptables << "EOF" 287 278 <literal>#!/bin/sh 288 279 289 # Begin rc.iptables280 # Begin /etc/systemd/scripts/iptables 290 281 291 282 echo … … 371 362 372 363 # Enable IP Forwarding 373 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 364 echo 1 > /proc/sys/net/ipv4/ip_forward 365 366 # End /etc/systemd/scripts/iptables</literal> 374 367 EOF 375 chmod 700 /etc/ rc.d/rc.iptables</userinput></screen>368 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 376 369 377 370 <para>With this script your intranet should be reasonably secure -
postlfs/security/gnutls.xml
rcb9c6940 r0e389d13 111 111 <xref linkend="unbound"/> (to build the DANE library), 112 112 <xref linkend="valgrind"/> (used during the test suite), 113 <ulink url="http://ftp.gnu.org/gnu/autogen/"> autogen</ulink>, and113 <ulink url="http://ftp.gnu.org/gnu/autogen/">Autogen</ulink>, and 114 114 <ulink url="http://sourceforge.net/projects/trousers/files/trousers/">Trousers</ulink> (Trusted Platform Module support) 115 115 </para> … … 134 134 </para> 135 135 136 <screen><userinput>./configure --prefix=/usr \ 137 --with-default-trust-store-file=/etc/ssl/ca-bundle.crt && 136 <screen><userinput>./configure --prefix=/usr && 138 137 make</userinput></screen> 139 138 … … 163 162 <sect2 role="commands"> 164 163 <title>Command Explanations</title> 165 166 <para>167 <parameter>--with-default-trust-store-file=/etc/ssl/ca-bundle.crt</parameter>:168 This switch tells <command>configure</command> where to find the169 CA Certificates.170 </para>171 164 172 165 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" … … 191 184 libgnutls.so, libgnutls-dane.so, 192 185 libgnutls-openssl.so, libgnutlsxx.so, and 193 /usr/lib/guile/2.0/guile-gnutls-v-2.so186 guile-gnutls-v-2.so (<application>Guile</application> Module 194 187 </seg> 195 188 <seg> -
postlfs/security/haveged-systemd.xml
rcb9c6940 r0e389d13 104 104 105 105 <sect3 id="haveged-init"> 106 <title> Boot Script</title>106 <title>Systemd Units</title> 107 107 108 108 <para> 109 If you want the <application>Haveged</application> daemon to110 start automatically when the system is booted, install the111 <filename>/etc/rc.d/init.d/haveged</filename> init script included112 in the <xref linkend="bootscripts"/> package.109 To start the <command>haveged</command> daemon at boot, 110 install the systemd unit from the <xref linkend="bootscripts"/> 111 package by running the following command as the 112 <systemitem class="username">root</systemitem> user: 113 113 </para> 114 114 -
postlfs/security/iptables-systemd.xml
rcb9c6940 r0e389d13 181 181 182 182 <sect3 id="iptables-init"> 183 <title> Boot Script</title>183 <title>Systemd Units</title> 184 184 185 185 <para> 186 To set up the iptables firewall at boot, install the 187 <filename>/etc/rc.d/init.d/iptables</filename> init script included 188 in the <xref linkend="bootscripts"/> package. 186 To set up the <application>Iptables</application> firewall at boot, 187 install the systemd unit from the <xref linkend="bootscripts"/> 188 package by running the following command as the 189 <systemitem class="username">root</systemitem> user: 189 190 </para> 190 191 -
postlfs/security/mitkrb-systemd.xml
rcb9c6940 r0e389d13 123 123 <para>You will probably see output similar to:</para> 124 124 125 <screen><literal>gpg: Signature made Mon Aug 11 22:53:10 2014 GMT using RSA key ID 749D7889125 <screen><literal>gpg: Signature made Thu 16 Oct 2014 02:02:43 AM CEST using RSA key ID 749D7889 126 126 gpg: Can't check signature: No public key</literal></screen> 127 127 … … 148 148 -e "s@-lpython2.5]@&,\n AC_CHECK_LIB(python2.7,main,[PYTHON_LIB=-lpython2.7])@g" \ 149 149 -i configure.in && 150 sed -e 's@\^u}@^u cols 300}@' \151 -i tests/dejagnu/config/default.exp &&152 150 autoconf && 153 151 ./configure --prefix=/usr \ … … 156 154 --with-system-et \ 157 155 --with-system-ss \ 158 --with -system-verto=no \159 --enable-dns-for-realm &&156 --without-system-verto \ 157 --enable-dns-for-realm && 160 158 make</userinput></screen> 161 159 … … 178 176 for LIBRARY in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \ 179 177 kdb5 kdb_ldap krad krb5 krb5support verto ; do 180 chmod -v 755 /usr/lib/lib$LIBRARY.so181 done 178 [ -e /usr/lib/lib$LIBRARY.so ] && chmod -v 755 /usr/lib/lib$LIBRARY.so 179 done && 182 180 unset LIBRARY && 183 181 184 mv -v /usr/lib/libkrb5.so. 3* /lib &&185 mv -v /usr/lib/libk5crypto.so. 3* /lib &&186 mv -v /usr/lib/libkrb5support.so. 0* /lib &&187 188 ln - v -sf ../../lib/libkrb5.so.3.3/usr/lib/libkrb5.so &&189 ln - v -sf ../../lib/libk5crypto.so.3.1/usr/lib/libk5crypto.so &&190 ln - v -sf ../../lib/libkrb5support.so.0.1/usr/lib/libkrb5support.so &&182 mv -v /usr/lib/libkrb5.so.* /lib && 183 mv -v /usr/lib/libk5crypto.so.* /lib && 184 mv -v /usr/lib/libkrb5support.so.* /lib && 185 186 ln -sfv ../../lib/$(readlink /usr/lib/libkrb5.so) /usr/lib/libkrb5.so && 187 ln -sfv ../../lib/$(readlink /usr/lib/libk5crypto.so) /usr/lib/libk5crypto.so && 188 ln -sfv ../../lib/$(readlink /usr/lib/libkrb5support.so) /usr/lib/libkrb5support.so && 191 189 192 190 mv -v /usr/bin/ksu /bin && … … 194 192 195 193 install -v -dm755 /usr/share/doc/krb5-&mitkrb-version; && 196 cp - vfr../doc/* /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>194 cp -rfv ../doc/* /usr/share/doc/krb5-&mitkrb-version;</userinput></screen> 197 195 198 196 … … 204 202 <para> 205 203 <command>sed -e ...</command>: The first <command>sed</command> fixes 206 <application>Python</application> detection. The second one increases204 <application>Python</application> detection.<!-- The second one increases 207 205 the width of the virtual terminal used for some tests, to prevent 208 some spurious characters to be echoed, which is taken as a failure. 209 </para> 210 211 <para> 212 <parameter>--localstatedir=/var/lib</parameter>: This parameteris206 some spurious characters to be echoed, which is taken as a failure. --> 207 </para> 208 209 <para> 210 <parameter>--localstatedir=/var/lib</parameter>: This switch is 213 211 used so that the Kerberos variable run-time data is located in 214 212 <filename class="directory">/var/lib</filename> instead of … … 229 227 230 228 <para> 231 <parameter>--with -system-verto=no</parameter>: This switch fixes a bug in232 the package: it does not recognize its own verto library installed233 previously. This is not a problem, if reinstalling the same version,234 but if you are updating, the old library is used as system's one,235 inst ead of installing the new version.229 <parameter>--without-system-verto</parameter>: This switch causes 230 the build to use the internal version of <filename 231 class="libraryfile">libverto</filename> library in case older one 232 is present from previous <application>Kerberos</application> 233 installation. 236 234 </para> 237 235 … … 458 456 459 457 <sect3 id="mitkrb-init"> 460 <title> Init Script</title>458 <title>Systemd Units</title> 461 459 462 460 <para> 463 If you want to start <application>Kerberos</application> services464 at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init465 script included in the <xref linkend="bootscripts"/> package using466 the following command:461 To start the Kerberos services at boot, 462 install the systemd units from the <xref linkend="bootscripts"/> 463 package by running the following command as the 464 <systemitem class="username">root</systemitem> user: 467 465 </para> 468 466 … … 496 494 </seg> 497 495 <seg> 498 libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so,499 libkadm5clnt.so, libkadm5srv _mit.so, libkadm5srv.so, libkdb_ldap.so500 (optional), libk db5.so, libkrad.so, libkrb5.so, libkrb5support.so,501 libverto.so , and some plugins under the /usr/lib/krb5 tree496 libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, 497 libkadm5clnt.so, libkadm5srv.so, libkdb5.so, libkdb_ldap.so 498 (optional), libkrad.so, libkrb5.so, libkrb5support.so, and 499 libverto.so 502 500 </seg> 503 501 <seg> … … 508 506 /usr/lib/krb5, 509 507 /usr/share/doc/krb5-&mitkrb-version;, 510 /usr/share/examples/krb5, 511 /usr/share/gnats/, and 508 /usr/share/examples/krb5 and 512 509 /var/lib/krb5kdc 513 510 </seg> -
postlfs/security/openssh-systemd.xml
rcb9c6940 r0e389d13 83 83 <para role="required"> 84 84 <xref linkend="openssl"/> or 85 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink></para> 85 <ulink url="http://www.libressl.org/">LibreSSL Portable</ulink> 86 </para> 86 87 87 88 <bridgehead renderas="sect4">Optional</bridgehead> … … 302 303 303 304 <sect3 id="openssh-init"> 304 <title>Boot Script</title> 305 306 <para> 307 To start the SSH server at system boot, install the 308 <filename>/etc/rc.d/init.d/sshd</filename> init script included 309 in the <xref linkend="bootscripts"/> package. 310 </para> 305 <title>Systemd Units</title> 306 307 <para> 308 To start the <command>sshd</command> daemon at boot, 309 install the systemd units from the <xref linkend="bootscripts"/> 310 package by running the following command as the 311 <systemitem class="username">root</systemitem> user: 312 </para> 311 313 312 314 <indexterm zone="openssh openssh-init"> … … 315 317 316 318 <screen role="root"><userinput>make install-sshd</userinput></screen> 319 320 <note> 321 <para> 322 This package comes with two types of units: A service file and a socket file. 323 The service file will start sshd daemon once at boot and it will keep running until the 324 system shuts down. The socket file will make systemd listen on sshd port (Default 22, needs 325 to be edited for anything else) and will start sshd daemon when something tries to connect 326 to that port and stop the daemon when the connection is terminated. This is 327 called socket activation. 328 329 By default, the first method is used - sshd daemon is started at boot and stopped at shutdown. 330 If the socket method is desired, you need to run as the 331 <systemitem class="username">root</systemitem> user: 332 333 <screen role="root"><userinput>systemctl stop sshd && 334 systemctl disable sshd && 335 systemctl enable sshd.socket && 336 systemctl start sshd.socket</userinput></screen> 337 </para> 338 </note> 339 317 340 </sect3> 318 341 </sect2> … … 336 359 <seg> 337 360 /etc/ssh, 361 /usr/libexec/openssh, 338 362 /usr/share/doc/openssh-&openssh-version;, and 339 363 /var/lib/sshd -
postlfs/security/security.xml
rcb9c6940 r0e389d13 44 44 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cacerts.xml"/> 45 45 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cracklib.xml"/> 46 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl .xml"/>46 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="cyrus-sasl-systemd.xml"/> 47 47 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnupg2-systemd.xml"/> 48 48 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gnutls.xml"/> 49 49 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gpgme.xml"/> 50 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged .xml"/>51 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables .xml"/>52 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling .xml"/>50 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="haveged-systemd.xml"/> 51 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="iptables-systemd.xml"/> 52 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="firewalling-systemd.xml"/> 53 53 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="libcap-systemd.xml"/> 54 54 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="linux-pam.xml"/> 55 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb .xml"/>55 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mitkrb-systemd.xml"/> 56 56 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nettle.xml"/> 57 57 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="nss.xml"/> 58 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh .xml"/>58 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssh-systemd.xml"/> 59 59 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="openssl.xml"/> 60 60 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="p11-kit.xml"/> … … 62 62 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="shadow.xml"/> 63 63 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="ssh-askpass.xml"/> 64 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel .xml"/>64 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stunnel-systemd.xml"/> 65 65 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sudo.xml"/> 66 66 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="tripwire.xml"/> -
postlfs/security/shadow.xml
rcb9c6940 r0e389d13 631 631 <para> 632 632 A list of the installed files, along with their short descriptions can be 633 found at <ulink url=" http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.633 found at <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>. 634 634 </para> 635 635 -
postlfs/security/stunnel-systemd.xml
rcb9c6940 r0e389d13 114 114 </note> 115 115 116 <para> 117 Fix the bundled systemd unit so it does not use a deprecated dependency: 118 </para> 119 120 <screen><userinput>sed -i /syslog.target/d tools/stunnel.service.in</userinput></screen> 121 116 122 <para>Install <application>stunnel</application> by running the following 117 123 commands:</para> … … 127 133 128 134 <screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen> 135 136 <para> 137 Install the systemd unit by running the following command as the 138 <systemitem class="username">root</systemitem> user: 139 </para> 140 141 <screen role="root"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system/stunnel.service</userinput></screen> 129 142 130 143 <para>To create the <filename>stunnel.pem</filename> in the … … 229 242 230 243 <sect3 id="stunnel-init"> 231 <title>Boot Script</title> 232 233 <para>To automatically start the <command>stunnel</command> daemon 234 when the system is rebooted, install the 235 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 236 <xref linkend="bootscripts"/> package.</para> 244 <title>Systemd Units</title> 245 246 <para> 247 To start the <command>stunnel</command> daemon at boot, 248 enable the previously installed systemd unit by 249 running the following command as the 250 <systemitem class="username">root</systemitem> user: 251 </para> 237 252 238 253 <indexterm zone="stunnel stunnel-init"> … … 240 255 </indexterm> 241 256 242 <screen role="root"><userinput> make install-stunnel</userinput></screen>257 <screen role="root"><userinput>systemctl enable stunnel</userinput></screen> 243 258 244 259 </sect3>
Note:
See TracChangeset
for help on using the changeset viewer.